[RESOLVED]Zone-policy + port forwarding

General questions
1

Hello,

I’ve got a VyOS LAB with 2 LAN :

DMZ (WEB SRV 172.20.0.100 PORT 80)
LAN 172.16.0.0/24

WAN 192.168.1.13

ZONE POLICY CONFIGURATION

Name: DMZ
Interfaces: eth1
From Zone:
name firewall

LAN LAN-LAN-DROP
WAN FROM-INT

Name: LAN
Interfaces: eth2
From Zone:
name firewall

DMZ LAN-LAN-DROP
WAN FROM-INT

Name: WAN
Interfaces: eth0
From Zone:
name firewall

DMZ LAN-LAN-OK
LAN LAN-LAN-OK

FIREWALL CONFIG :

firewall {
all-ping enable
broadcast-ping disable
config-trap disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name FROM-INT {
default-action drop
rule 1 {
action accept
state {
established enable
related enable
}
}
rule 2 {
action drop
state {
invalid enable
}
}
rule 100 {
action accept
destination {
address 172.20.0.100
port 80
}
log enable
protocol tcp
}
}
name LAN-LAN-DROP {
default-action drop
}
name LAN-LAN-OK {
default-action accept
}

NAT DESTINATION CONFIGURATION

nat {
destination {
rule 1 {
destination {
address 172.20.0.100
port 80
}
inbound-interface eth0
protocol tcp
translation {
address 192.168.1.13
port 80
}
}
}

For me it’s impossible to get web page from 192.168.1.0/24 but i can connect to SSH on VyOS.

Who can help me ?
Thanks

2

When you configure a destination nat, the destination IP address in the NAT rule is the original address the client try to reach, i.e. the WAN address, and the translation address is the real address of the host.

So in your NAT rule you need to exchange the 2 addresses.

Same for the firewall rule, it should allow 192.168.1.13, not 172.20.0.100.

1 Like
3

Hello Jeff,

Thanks so much for your quick reply.

It’s ok forme all works :slight_smile:
!

4

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.